alternatives to SESSION and COOKIE?

A session of PHP safely saves the user name, login status, and other things in the $_SESSION matrix, since it is stored on the server. The only thing that is sent to the browser is a cookie only (called PHPSESSID unless you have changed it php.ini ) that contains the ID of the session, which is a unique random number.

Once your visitor has an active session each time you request a page that has session_start() at the top, session_start() will see the request for a cookie called PHPSESSID , read the session file of the server (if the session exists and is valid) and will restore the $_SESSION archived set. This matrix never needs to leave the server.

The% session% co is set without an expiration date (unless you hit the cookie option in php.ini ) , so that the browser deletes it when shutting down. The session file on the server has an expiration time, managed by session.cookie_lifetime (in seconds).

On the road to safer sessions:

• Use bcrypt, scrypt, Argon2 or PBKDF2 to decrypt your passwords.
• Use PHP's integrated session management system (more information Spanish english )
• Use HTTPS everywhere, with Hypertext Strict Transport Security
• Use a Content-Security-Policy header to update insecure requests li>

• If you need to implement a session.gc_maxlifetime "Remember Me", follow the instructions in the blog post.

• Generates two random tokens: a cookie and selector
• Store the identifier and selector in an HTTP cookie, set it to identifier and httpOnly = true so that it is only accessible via HTTPS (and hidden from JavaScript )
• Save the secure = true and one hash (SHA256 is ok here) of the selector table of tokens
• Authenticate the user, based on the token stored in his cookie, in constant time .

  

You can see more information about sessions and security here .

What you should not do in a secure login system

• Do not store passwords in the database without updating; This is never a good idea!
• Do not encrypt or encrypt passwords in a simple way
• Do not use a weak hash function (MD5, SHA1, etc.)
• Do not use an insecure random number generator (you want to use identifier , and if you are using PHP 5, random_compat ).

You can set the random_bytes() with the cookie function or within your session_set_cookie_params .

session_set_cookie_params($lifetime = 0, $path = '/', $domain, $secure = true, $httponly = true);

Finally, you should create a script to register users outside the session (and encourage them to use it instead of just browsing). This is a sample script:

<?php
  session_start();
  $params = session_get_cookie_params();
  setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
  session_regenerate_id(true);
  session_destroy();
  session_write_close();
  header('Location: your_login_page.php');
  exit;

  

Also after a successful login or logout, change the session ID :

session_regenerate_id();

to close the session:

session_regenerate_id(true);

  

This publication explains in theory the following Source and Gatekeeper that implements it.

source

Now you can investigate further.

Try using the browser's LocalStorage. With javascript it is quite simple to implement and it has saved my life several times when I want data that persists between session and session. Here's an example. Now, regarding security, because if I advance you it is editable by the user with knowledge of the subject. But it is up to you to implement measures to validate that information before using it. Finally you can use the database to manage the user's information and not to access it.

  

So, how can the user's identity be stored securely and can it not be modified or deleted when leaving the browser?

You can not prevent the user from deleting or modifying your session cookie. The user can always modify their session identifier, or delete their cookies so that in the next visit you do not detect that it was the same user. Using LocalStorage does not solve this, since the user can also modify the LocalStorage data.

And that's the way it should be, for reasons of privacy. You can not force a user to send their ID to your server if they do not want to.

  

On the one hand, the information of the cookies can be modified by the user, so storing, for example, a user's ID is not recommended

For this reason, what is stored in the value of the cookie is only the session ID, and the data (such as the user ID associated with that session) are stored on the server. In this way the user can only change the session ID, which should be random enough to avoid this.

Finally, a tip: the system of sessions and cookies is perfectly safe provided it is used correctly. Do not reinvent the wheel and make sure you use these systems correctly.